The ECJ’s Landmark Judgment Subjecting Many Multinationals to Multiple Data Protection Authorities in the EU

The Court of Justice of the European Union (ECJ) has been very busy in recent weeks reshaping EU privacy laws. In addition to its much-anticipated decision in the Schrems case (Case C-362/14), which essentially rules that the U.S.-EU Safe Harbor Program is invalid 14 PVLR 1825, 10/12/15, 194 Privacy Law Watch, 10/7/15, the ECJ has also rendered judgment on the key issue of “establishment” in another landmark case (Case C-230/14, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság) 192 Privacy Law Watch, 10/5/15, 14 PVLR 1779, 10/5/15.

In the Weltimmo case, the ECJ ruled Oct. 1, that businesses with only very minimal operations in an EU member state can nevertheless be subject to the data protection laws of that member state, where they process personal data in the context of activities directed towards that member state. This effectively widens the scope of “establishment” and creates additional headaches for those businesses with EU operations.

The action point for companies with an EU footprint, therefore, is to review their EU processing activities, rethink where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.

Background

The Weltimmo case was referred to the ECJ by the Curia, Hungary’s highest judicial authority.

The facts of the case can be summarized as follows:

Weltimmo operated a property advertising service in Hungary, but was headquartered in Slovakia. It allowed people to advertise a property free of charge for one month, but then subsequently charged a fee. When Weltimmo failed to delete advertisements and personal data at its customers’ request upon the expiry of the free offer period, and passed such data on to debt collection agencies seeking payment for an ongoing subscription, it was fined by the Hungarian data protection authority (NAIH). The NAIH considered it had jurisdiction to impose a fine on the Slovakian company for breaches of Hungarian data protection laws because Weltimmo was “established” in Hungary 166 Privacy Law Watch, 8/28/12, 11 PVLR 1353, 9/3/12.

Weltimmo had one representative on the ground in Hungary, a Hungarian bank account and a post office box in the country, and so it appealed the NAIH’s decision to the Hungarian court on the basis that this was not sufficient to amount to an establishment, nor confer jurisdiction on the Hungarian data protection authority. Although the NAIH’s decision was annulled for lack of clarity over some of the facts, the first instance court did not accept Weltimmo’s defence.

The dispute was then escalated up to the Curia, at which point Weltimmo continued to argue that the NAIH had no jurisdiction to apply Hungarian law to it, as 1) it was registered in Slovakia, and 2) the NAIH had failed in its view to follow the procedure set out in Article 28(6) of the EU Data Protection Directive (95/46/EC) dealing with “supervisory authorities”, namely that the NAIH should have shared its findings with the Slovakian data protection authority and requested its Slovakian counterpart to exercise its authority.

Article 28(6) of the Data Protection Directive states:

Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

The Hungarian data protection authority disagreed with Weltimmo’s interpretation of Article 28(6), arguing that the relevant law was Hungarian law, and that it retained competence and jurisdiction under the Data Protection Directive.

It relied on the wording under Article 28(6), which says, “whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3”.

It further pointed to Article 4(1), which deals with the applicable national law and says:

Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable.

The Curia was unclear as to the correct interpretation and decided to make a reference to the ECJ.

The ECJ’s Judgment

The ECJ’s judgment concerned the interpretation of the words “in the context of the activities of an establishment” as they are used in Article 4 of the Data Protection Directive and, significantly, ruled that this extends to “any real and effective activity — even a minimal one — exercised through stable arrangements”.

The ECJ went on to say:

In order to establish whether a company, the data controller, has an establishment … in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.

Weighing matters up, the ECJ was of the view that Weltimmo did pursue a “real and effective activity” in Hungary, as it advertised Hungarian properties, its website was written in Hungarian and the processing of personal data took place in the context of these activities. The fact that the company also had a Hungarian bank account, a letter box for “everyday business affairs” and had one representative working for it in Hungary was also relevant.

Given the nature of Weltimmo’s operations, the ECJ considered that Weltimmo did have an establishment in Hungary and was, therefore, subject to Hungary’s data protection regime: It said:

The presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.

The ECJ went on to say:

[The EU’s Data Protection Directive] … must be interpreted as permitting the application of the law on the protection of personal data of a Member State other than the Member State in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity — even a minimal one—in the context of which that processing is carried out.

Interestingly, the ECJ also confirmed that the nationality of the data subjects whose data Weltimmo processed was irrelevant to determining which law applied, and also clarified that national data protection authorities are entitled to conduct their own investigations into alleged breaches of privacy laws by companies based in other countries. Nevertheless, where those companies are governed by another EU member state’s laws, the investigating authority cannot issue sanctions (although it is free to liaise with its counterparts in the member states where the offending company is established and to share findings).

Comment

This ruling changes the landscape of data protection for companies operating in more than one EU member state, eroding the idea of a “one-stop shop” in terms of a single supervising data protection authority and making many companies subject to multiple data protection authorities in the EU.

Previously, companies could arguably “forum shop” from a data protection perspective, choosing to headquarter in an EU member state perceived to be more business-friendly, such as the U.K. or Ireland, whilst seeking to avoid the long arms of some of the traditionally more conservative (and often aggressive) data protection authorities.

However, following this ruling, if a company operates a website in the native language of a particular EU member state, or has representatives in that member state (amongst other things), then this could well be enough to constitute an “establishment”, such that the company would be accountable under that member state’s laws and be subject to enforcement action in that member state, regardless of where it is headquartered.

Whilst this ruling means that Weltimmo is likely to be liable for a fairly hefty fine levied by Hungary’s NAIH, the ramifications of this judgment are much further reaching, and are likely to significantly increase compliance costs for companies with pan-EU operations.

Steven Farmer is counsel at Pillsbury Winthrop Shaw Pittman LLP, London. He may be contacted at steven.farmer@pillsburylaw.com.